CVE-2026–4670 is a critical authentication bypass in MOVEit Automation — remotely exploitable, no privileges required, no user interaction. It affects all versions before 2025.1.5, 2025.0.9, and 2024.1.8, and it is accompanied by a high-severity privilege escalation flaw, CVE-2026–5174. The two vulnerabilities chain. An unauthenticated attacker who bypasses authentication and then escalates privileges has full control of the MOVEit Automation instance.
PwnDefend's Daniel Card scanned Shodan and found over 1,400 internet-exposed MOVEit Automation instances. More than a dozen are linked to US state and local government agencies. Those numbers are the reason this vulnerability does not sit quietly in a patch advisory.
The Clop Context Cannot Be Separated From This Story
In 2023, the Clop ransomware group mass-exploited a zero-day in MOVEit Transfer — a related Progress Software product — and compromised over 2,100 organisations before a patch was available. The campaign was not opportunistic. It was pre-planned, executed at scale within days of the vulnerability window opening, and targeted specifically because MOVEit Transfer sits in managed file transfer infrastructure that holds sensitive data in transit between organisations. Clop had previously applied the same playbook to Accellion FTA, SolarWinds Serv-U, GoAnywhere, and Cleo.
The pattern is consistent: Clop identifies managed file transfer platforms as high-value targets, acquires or develops exploitation capability, and executes mass campaigns that extract data from as many victims as possible before patches are deployed. MOVEit is a named target in that pattern. CVE-2026–4670 is a critical authentication bypass in a MOVEit product. The 1,400 exposed instances are an internet-facing attack surface that Clop has demonstrated both the intent and the capability to enumerate at scale.
The vulnerability does not need to be a zero-day to be mass-exploited. It needs to be unpatched on enough exposed instances when exploitation begins.
Defender Actions
- Apply the full installer upgrade to 2025.1.5, 2025.0.9, or 2024.1.8 immediately — Progress has specified a full installer upgrade rather than a patch, which means in-place partial updates are insufficient
- Verify your MOVEit Automation instance is not internet-exposed — if it is, restrict access to known IP ranges at the network perimeter while upgrade is completed
- Audit MOVEit Automation logs for authentication anomalies, unexpected API calls, and file access events from unfamiliar sources covering the period since the vulnerability was disclosed
- In SIEM, alert on any successful authentication to MOVEit Automation from IPs outside your defined trusted ranges — an auth bypass that succeeds will still produce authentication log entries
- Apply CVE-2026–5174 mitigations simultaneously — patching the bypass without addressing the privilege escalation leaves a partial attack chain intact
- Treat any MOVEit Automation instance handling sensitive data transfers as a priority asset requiring same-day remediation on critical CVEs, not standard patch cycle timelines
Clop does not wait for the patch window to close.
